Skip to content

Commit 10d7e0c

Browse files
committed
added MDI RBAC
1 parent 2254210 commit 10d7e0c

File tree

3 files changed

+19
-17
lines changed

3 files changed

+19
-17
lines changed

defender-endpoint/threat-analytics.md

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -57,11 +57,11 @@ Each report provides an analysis of a tracked threat and extensive guidance on h
5757

5858
## Required roles and permissions
5959

60-
The following table outlines the roles and permissions required to access threat analytics. Roles defined in the following table refer to custom roles in individual portals and aren't connected to global roles in Microsoft Entra ID, even if similarly named.
60+
The following table outlines the roles and permissions required to access threat analytics. Roles defined in the table refer to custom roles in individual portals and aren't connected to global roles in Microsoft Entra ID, even if similarly named.
6161

62-
| **One of the following roles are required for Microsoft Defender XDR** | **One of the following roles are required for Microsoft Defender for Endpoint** | **One of the following roles are required for Microsoft Defender for Office 365** | **One of the following roles are required for Microsoft Defender for Cloud Apps** | **One of the following roles are required for Microsoft Defender for Cloud** |
62+
| **One of the following roles are required for Microsoft Defender XDR** | **One of the following roles are required for Microsoft Defender for Endpoint** | **One of the following roles are required for Microsoft Defender for Office 365** | **One of the following roles are required for Microsoft Defender for Cloud Apps and Microsoft Defender for Identity** | **One of the following roles is required for Microsoft Defender for Cloud** |
6363
|---------|---------|---------|---------|---------|
64-
| Threat analytics | Alerts and incidents data: <ul><li>View data- security operations</li></ul>Defender Vulnerability Management mitigations:<ul><li>View data - Threat and vulnerability management</li></ul> | Alerts and incidents data:<ul> <li>View-only manage alerts</li> <li>Manage alerts</li> <li>Organization configuration</li><li>Audit logs</li> <li>View-only audit logs</li><li>Security reader</li> <li>Security admin</li><li>View-only recipients</li> </ul> Prevented email attempts: <ul><li>Security reader</li> <li>Security admin</li><li>View-only recipients</li> | Not available for Defender for Cloud Apps or Microsoft Defender for Identity users | <ul><li>Global admin</li><li>Security admin</li></ul> |
64+
| Threat analytics | Alerts and incidents data: <ul><li>View data- security operations</li></ul>Defender Vulnerability Management mitigations:<ul><li>View data - Threat and vulnerability management</li></ul> | Alerts and incidents data:<ul> <li>View-only manage alerts</li> <li>Manage alerts</li> <li>Organization configuration</li><li>Audit logs</li> <li>View-only audit logs</li><li>Security reader</li> <li>Security admin</li><li>View-only recipients</li> </ul> Prevented email attempts: <ul><li>Security reader</li> <li>Security admin</li><li>View-only recipients</li> | <ul><li>Global admin</li> <li>Security admin</li> <li>Compliance admin</li> <li>Security operator</li> <li>Security reader</li></ul> | <ul><li>Global admin</li><li>Security admin</li></ul> |
6565

6666
>[!IMPORTANT]
6767
> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
@@ -210,6 +210,7 @@ When looking at the threat analytics data, remember the following factors:
210210

211211
- The checklist in the **Recommended actions** tab only displays recommendations tracked in [Microsoft Secure Score](/defender-xdr/microsoft-secure-score). Check the **Analyst report** tab for more recommended actions that aren't tracked in Secure Score.
212212
- The recommended actions don’t guarantee complete resilience and only reflect the best possible actions needed to improve it.
213+
- Antivirus-related statistics are based on Microsoft Defender Antivirus settings.
213214

214215
## See also
215216

defender-xdr/custom-roles.md

Lines changed: 11 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -42,7 +42,7 @@ If you need greater flexibility and control over access to specific product data
4242

4343
For example, a Custom role created through Microsoft Defender for Endpoint would allow access to the relevant product data, including Endpoint data within the Microsoft Defender portal. Similarly, a Custom role created through Microsoft Defender for Office 365 would allow access to the relevant product data, including Email & collaboration data within the Microsoft Defender portal.
4444

45-
Users with existing Custom roles may access data in the Microsoft Defender portal according to their existing workload permissions with no additional configuration required.
45+
Users with existing Custom roles can access data in the Microsoft Defender portal according to their existing workload permissions with no additional configuration required.
4646

4747
## Create and manage custom roles
4848

@@ -75,22 +75,22 @@ Permissions and roles can also be managed in the Microsoft Defender portal:
7575
7676
## Required roles and permissions
7777

78-
The following table outlines the roles and permissions required to access each unified experience in each workload. Roles defined in the table below refer to custom roles in individual portals and are not connected to global roles in Microsoft Entra ID, even if similarly named.
78+
The following table outlines the roles and permissions required to access each unified experience in each workload. Roles defined in the table refer to custom roles in individual portals and aren't connected to global roles in Microsoft Entra ID, even if similarly named.
7979

8080
> [!NOTE]
8181
> Incident management requires management permissions for all products that are part of the incident.
8282
8383
> [!IMPORTANT]
8484
> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
8585
86-
|Microsoft Defender XDR workload|One of the following roles is required for Defender for Endpoint|One of the following roles is required for Defender for Office 365|One of the following roles is required for Defender for Cloud Apps|
87-
|---|---|---|---|
88-
|Viewing investigation data: <ul><li>Alert page</li> <li>Alerts queue</li> <li>Incidents</li> <li>Incident queue</li> <li>Action center</li></ul>|View data- security operations|<ul><li>View-only Manage alerts </li> <li>Organization configuration</li><li>Audit logs</li> <li>View-only audit logs</li> <li>Security reader</li> <li>Security admin</li><li>View-only recipients</li></ul>|<ul><li>Global admin</li> <li>Security admin</li> <li>Compliance admin</li> <li>Security operator</li> <li>Security reader</li> <li>Global reader</li></ul>|
89-
|Viewing hunting data, saving, editing, and deleting hunting queries and functions|View data- security operations|<ul><li>Security reader</li> <li>Security admin</li> <li>View-only recipients</li>|<ul><li>Global admin</li> <li>Security admin</li> <li>Compliance admin</li> <li>Security operator</li> <li>Security reader</li> <li>Global reader</li></ul>|
90-
|Managing alerts and incidents|Alerts investigation|<ul><li>Manage alerts</li> <li>Security admin</li>|<ul><li>Global admin</li> <li>Security admin</li> <li>Compliance admin</li> <li>Security operator</li> <li>Security reader</li></ul>|
91-
|Action center remediation|Active remediation actions – security operations|Search and purge||
92-
|Setting custom detections|Manage security settings|<ul><li>Manage alerts</li> <li>Security admin</li></ul>|<ul><li>Global admin</li> <li>Security admin</li> <li>Compliance admin</li> <li>Security operator</li> <li>Security reader</li> <li>Global reader</li></ul>|
93-
|Threat Analytics|Alerts and incidents data: <ul><li>View data- security operations</li></ul>Defender Vulnerability Management mitigations:<ul><li>View data - Threat and vulnerability management</li></ul>|Alerts and incidents data:<ul> <li>View-only Manage alerts</li> <li>Manage alerts</li> <li>Organization configuration</li><li>Audit logs</li> <li>View-only audit logs</li><li>Security reader</li> <li>Security admin</li><li>View-only recipients</li> </ul> Prevented email attempts: <ul><li>Security reader</li> <li>Security admin</li><li>View-only recipients</li>|Not available for Defender for Cloud Apps or MDI users|
86+
|Microsoft Defender XDR workload|One of the following roles is required for Defender for Endpoint|One of the following roles is required for Defender for Office 365|One of the following roles is required for Defender for Cloud Apps and Defender for Identity | One of the following roles is required for Microsoft Defender for Cloud |
87+
|---|---|---|---|---|
88+
|Viewing investigation data: <ul><li>Alert page</li> <li>Alerts queue</li> <li>Incidents</li> <li>Incident queue</li> <li>Action center</li></ul>|View data- security operations|<ul><li>View-only Manage alerts </li> <li>Organization configuration</li><li>Audit logs</li> <li>View-only audit logs</li> <li>Security reader</li> <li>Security admin</li><li>View-only recipients</li></ul>|<ul><li>Global admin</li> <li>Security admin</li> <li>Compliance admin</li> <li>Security operator</li> <li>Security reader</li> <li>Global reader</li></ul>|<ul><li>Global admin</li><li>Security admin</li></ul> |
89+
|Viewing hunting data, saving, editing, and deleting hunting queries and functions|View data- security operations|<ul><li>Security reader</li> <li>Security admin</li> <li>View-only recipients</li>|<ul><li>Global admin</li> <li>Security admin</li> <li>Compliance admin</li> <li>Security operator</li> <li>Security reader</li> <li>Global reader</li></ul>|<ul><li>Global admin</li><li>Security admin</li></ul> |
90+
|Managing alerts and incidents|Alerts investigation|<ul><li>Manage alerts</li> <li>Security admin</li>|<ul><li>Global admin</li> <li>Security admin</li> <li>Compliance admin</li> <li>Security operator</li> <li>Security reader</li></ul>|<ul><li>Global admin</li><li>Security admin</li></ul> |
91+
|Action center remediation|Active remediation actions – security operations|Search and purge||<ul><li>Global admin</li><li>Security admin</li></ul> |
92+
|Setting custom detections|Manage security settings|<ul><li>Manage alerts</li> <li>Security admin</li></ul>|<ul><li>Global admin</li> <li>Security admin</li> <li>Compliance admin</li> <li>Security operator</li> <li>Security reader</li> <li>Global reader</li></ul>|<ul><li>Global admin</li><li>Security admin</li></ul> |
93+
|Threat Analytics|Alerts and incidents data: <ul><li>View data- security operations</li></ul>Defender Vulnerability Management mitigations:<ul><li>View data - Threat and vulnerability management</li></ul>|Alerts and incidents data:<ul> <li>View-only Manage alerts</li> <li>Manage alerts</li> <li>Organization configuration</li><li>Audit logs</li> <li>View-only audit logs</li><li>Security reader</li> <li>Security admin</li><li>View-only recipients</li> </ul> Prevented email attempts: <ul><li>Security reader</li> <li>Security admin</li><li>View-only recipients</li>|<ul><li>Global admin</li> <li>Security admin</li> <li>Compliance admin</li> <li>Security operator</li> <li>Security reader</li> <li>Global reader</li></ul>|<ul><li>Global admin</li><li>Security admin</li></ul> |
9494

9595
For example, to view hunting data from Microsoft Defender for Endpoint, View data security operations permissions are required.
9696

@@ -101,7 +101,7 @@ Similarly, to view hunting data from Microsoft Defender for Office 365, users wo
101101
- Security admin
102102
- View-only recipients
103103

104-
## Related topics
104+
## Related articles
105105

106106
- [RBAC roles](/defender-office-365/migrate-to-defender-for-office-365-onboard#rbac-roles)
107107
- [Manage access to Microsoft Defender XDR](m365d-permissions.md)

defender-xdr/threat-analytics.md

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -56,11 +56,11 @@ With more sophisticated adversaries and new threats emerging frequently and prev
5656
Each report provides an analysis of a tracked threat and extensive guidance on how to defend against that threat. It also incorporates data from your network, indicating whether the threat is active and if you have applicable protections in place.
5757

5858
## Required roles and permissions
59-
The following table outlines the roles and permissions required to access Threat Analytics. Roles defined in the following table refer to custom roles in individual portals and aren't connected to global roles in Microsoft Entra ID, even if similarly named.
59+
The following table outlines the roles and permissions required to access Threat Analytics. Roles defined in the table refer to custom roles in individual portals and aren't connected to global roles in Microsoft Entra ID, even if similarly named.
6060

61-
| **One of the following roles are required for Microsoft Defender XDR** | **One of the following roles are required for Microsoft Defender for Endpoint** | **One of the following roles are required for Microsoft Defender for Office 365** | **One of the following roles are required for Microsoft Defender for Cloud Apps** | **One of the following roles are required for Microsoft Defender for Cloud** |
61+
| **One of the following roles are required for Microsoft Defender XDR** | **One of the following roles are required for Microsoft Defender for Endpoint** | **One of the following roles are required for Microsoft Defender for Office 365** | **One of the following roles are required for Microsoft Defender for Cloud Apps and Microsoft Defender for Identity** | **One of the following roles is required for Microsoft Defender for Cloud** |
6262
|---------|---------|---------|---------|---------|
63-
| Threat analytics | Alerts and incidents data: <ul><li>View data- security operations</li></ul>Defender Vulnerability Management mitigations:<ul><li>View data - Threat and vulnerability management</li></ul> | Alerts and incidents data:<ul> <li>View-only manage alerts</li> <li>Manage alerts</li> <li>Organization configuration</li><li>Audit logs</li> <li>View-only audit logs</li><li>Security reader</li> <li>Security admin</li><li>View-only recipients</li> </ul> Prevented email attempts: <ul><li>Security reader</li> <li>Security admin</li><li>View-only recipients</li> | Not available for Defender for Cloud Apps or Microsoft Defender for Identity users | <ul><li>Global admin</li><li>Security admin</li></ul> |
63+
| Threat analytics | Alerts and incidents data: <ul><li>View data- security operations</li></ul>Defender Vulnerability Management mitigations:<ul><li>View data - Threat and vulnerability management</li></ul> | Alerts and incidents data:<ul> <li>View-only manage alerts</li> <li>Manage alerts</li> <li>Organization configuration</li><li>Audit logs</li> <li>View-only audit logs</li><li>Security reader</li> <li>Security admin</li><li>View-only recipients</li> </ul> Prevented email attempts: <ul><li>Security reader</li> <li>Security admin</li><li>View-only recipients</li> | <ul><li>Global admin</li> <li>Security admin</li> <li>Compliance admin</li> <li>Security operator</li> <li>Security reader</li></ul> | <ul><li>Global admin</li><li>Security admin</li></ul> |
6464

6565
>[!IMPORTANT]
6666
> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
@@ -208,6 +208,7 @@ When looking at the threat analytics data, remember the following factors:
208208

209209
- The checklist in the **Recommended actions** tab only displays recommendations tracked in [Microsoft Secure Score](microsoft-secure-score.md). Check the **Analyst report** tab for more recommended actions that aren't tracked in Secure Score.
210210
- The recommended actions don’t guarantee complete resilience and only reflect the best possible actions needed to improve it.
211+
- Antivirus-related statistics are based on Microsoft Defender Antivirus settings.
211212

212213

213214
## See also

0 commit comments

Comments
 (0)